"There are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a user's account on the malicious user's own device or online at https://www.starbucks.com/account/signin," Wood said in a research note.

Starbucks said that though the report is "technically accurate ... unauthorized access to this information is safeguarded."

"Our customers' security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of this report, there is no known impact to our customers," said Starbucks spokesperson Linda Mills.

"To further mitigate our customers' potential risk from these theoretical vulnerabilities," she added, "Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way."